Hello GRC folks!
Today we configure BusinessObjects Access Control 5.3 SP8 Compliant User Provisioning (CUP).
What we want to do is to
- approve requests automatically if the risk analysis found no violations
- start a workflow with manual approval/mitigation/denial process if risk analysis found violations for the request
Motivation is that you
- want as little manual system interaction for your approvers as possible
- possibly have an integrated scenario with Identity Management and a (manager) approval has already been done on the Identity Management (IdM) application side
- only want to involve approvers, if violations arise
Big picture is that you configure
- a workflow A with your initiator and a stage with approver determinator “NO STAGE”
- a workflow B for the detour with your stage(s) you want to have if violations were found
- a detour for A which detours to B if SoD violations were found for the request
- the parameter “Risk Analysis on request submission” to “YES”
CUP should now behave like this
- Request comes in (manually or via web service from IdM)
- Risk Analysis (CUP calls RAR via web service) is done and results saved in request
- Initiator activates your workflow A
- Detour checks if conditions are met
- Two options
- ->1. No violations found, workflow A goes to stage “No Stage”, approves automatically and optional does autoprovisioning
- ->2. Violations found, Detour conditions met, detour from A to B, request arrives at first stage configured in workflow B with all options of CUP (approval, denial, mitiagation,etc.)
Now some screenshots to visualize the configuration
- Parameter to set (Goto->Configuration->Risk Analysis)
- Initiator (could be any condition for your use case)
- Stage with “No Stage” approver determinator
- The two workflows you need
- First workflow with no stage
- Detour workflow if violations detected
- Detour configuration
Hope this helps your business!
PS: Special thanks to the mastermind of this idea Frank Koehntopp.